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(54) Triply redundant microprocessor 
system 

(57) A triple redundant microprocessor 
system has three microprocessors 
MPA, MPB, MPC, each of which in- 
cludes a memory bus MA, MB, MC, to 
which is connected a program memory. 
ROM and a data memory RAM which 
are addressed via an associated 
address bus AB. Each microprocessor 
also includes a data bus PA, PB, PC 
which is interconnected to the memory 


bus by associated majority voting cir- 
cuits M1, M2, M3 which are also inter- 
connected to the other microprocessor 
data buses and memory buses. The 
majority voting circuits function. to pro- 
vide majority voting on the respective 
microprocessor data bus and memory 
bus in response to the condition of 
signals present on the data buses and 
the memory buses connected thereto 
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and to signals generated to the microp- 
rocessors. The system provides major- 
ity voting on bidirectional data buses 
only, and incorporates a phase locking 
arrangement for the internal clock 
generators CO of the. microprocessor 
and also a hardware/software arrange- 
ment for instruction synchronism. 
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SPECIFICATION 

Microprocessor system 

5 The present invention relates to microprocessor 
systems and in particular to a triple redundant 
microprocessor system which uses majority voting 
circuits. 

The technique of using triple redundancy with 

10 majority voting to produce reliable systems from 
imperfectly reliable components is well known in the 
art, and when the technique is applied to commer- 
cially available microprocessors certain problems 
arise. The first problem is that only those signals that 

15 appear on external pin connections of the microp- 
rocessor are available for comparison. The second 
problem is that for majority voting to be meaningful, 
the microprocessors must operate in exact syn- 
chronism, and the third problem is that instruction 

20 synchronism must be maintained. 

Accordingly an aim of the present invention is to 
provide a triple redundant microprocessor which 
overcomes the above mentioned problems in an 
efficient and effective manner, 

25 According to the present invention there is pro- 
vided a triple redundant microprocessor system 
wherein each microprocessor includes a memory 
bus to which is connected a program memory and 
data memory which are addressed via an associated 

30 address bus, each microprocessor also includes a 
data bus which is interconnected to the memory bus 
via associated majority voting circuits which are also 
interconnected to the other microprocessor data 
buses and memory buses and which function to 

35 provide majority voting on the respective microp- 
rocessor data bus and memory bus in response to 
the condition of signals present on the data buses 
and memory buses connected thereto, and to sig- 
nals generated by the respective microprocessor. 

40 An embodiment of the invention will now be 
described with reference to the accompanying draw- 
ings, of which 

Figure 1 shows a block diagram of a triple 
redundant microprocessor system, and, 

45 Figure 2 shows a schematic diagram of a majority 
voting circuit as used in Figure 1 , 

Referring Figure 1, three microprocessors MPA, 
MPB and MPC are shown with all their associated 
circuitry. The circuitry for each is identcial and will be 

50 described collectively. Each microprocessor has an 
associated clock oscillator CO and timer T. Oscillator 
CO has a clock fail indicator CF and timer T has a 
sync fail indicator SF. Timer T is used to provide an 
interrupt signal INT for its associated microproces- 

55 sor via a majority gate. Each microprocessor has an 
address bus AB for addressing an associated ran- 
dom access memory RAM, a read only memory 
ROM and an input/output device I/O ail of which 
output onto an associated memory bus MA, MB and 

60 MC. The memory buses MA, MB and MC are all 
connected to a respective input of one half the 
majority voting circuit M1 associated with each 
microprocessor. The circuit M1 provides suitable 
gating logic which provides a read error signal RE 

65 and an output signal OP1 which is delivered to a 


tristate buffer TB1 . The associated microprocessor 
produces a directional control signal RD,the inverse 
of which is applied to the tristate buffer TB1 and to 
an error monitoring system SEL. The system SEL 

70 also receives the associated read error signal RE and 
provides an indication for random access memory 
errors RAME, read only memory errors ROME and 
input/output errors l/OE. The output of the associ- 
ated tristate buffer TB1 is applied to the associated 

75 microprocessor data bus PA, PB orThe data bus is 
applied to a second half of an associated majority 
voting circuit M2 which is connected also to the 
other data buses. Majority voting circuit M2 provides 
suitable gating logic which responds to the signals 

80 on the data buses and the circuit M2 provides an 
output signal OP2 and a write error signal WE. The 
output signal OP2 is applied to a tristate buffer TB2 
together with an inverse directional control signal 
WR which is originated by the associated microp- 

85 rocessor. The output from the tristate buffer TB2 is 
applied to its associated memory bus MA, MB or 
MC. The control signal WR and the write error signal 
WC are applied to an error monitoring system MPE 
which provides an indication for microprocessor 

90 errors. 

Referring to Figure 2, a bidirectional majority 
voting circuit Is shown. Eight such circuits are 
provided for handling the eight bits of information 
which are present on each bus. The circuit shown is 
95 connected for use in association with microproces- 
sor MPA and similar circuits are used for microp- 
rocessor MPB and MPC. The microprocessor mem- 
ory data buses MA, MB and MC are connected to an 
array of gates consisting of AND gates G1 - G3, 

100 NAND gates G4 - G6 OR gate G7, and NOR gates G8, 
G9. The data buses PA, PB and PV are similarly 
connected to an array of gates consisting of AND 
gates G10 - G12, NAND gates, G13 - G15, OR, gate 
G16 and NOR gates G17, G18. Gates G1, G5 and G10 

105 andG15 have one of their inputs inverted and gates 
G6 and G1 4 have two of their inputs inverted. The 
output of gate G2 provides the read error signal RE, 
and the output of gtge G17 provides the write error 
signal WE. The outputs of gates G9 and G18 provide 

110 the respective output signals OP1 , OP2 which are 
applied to tristate buffers TB1 and TB2 respectively. 
Gate G1, G4, G10 and G13 are enabled by a signal EN 
which is produced by the respective microprocessor 
to enable/disable majority voting. The tristate buf- 

115 fers TB1,TB2 receive directional control signals RD 
and WR respectively which are produced by the 
respective microprocessor. The output of tristate 
buffer TB1 is connected to the respective microp- 
rocessor data bus PA, PB or PC, and the output of 

1 20 tristate buffer TB2 is connected to the respective 
microprocessor memory bus MA, MB or MC. 

The microprocessor system described overcomes 
the first mentioned problem, in that any change that 
occurs within a microprocessor or its memories and 

125 peripheral devices will ultimately be reflected in 
signals on the data bus which connects the microp- 
rocessor and its memories and peripheral devices. 
An adequate method of error detection and correc- 
tion is obtained by majority voting on the data bus, 

130 and the use of dummy read/writes of otherwise 
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infrequently accessed memory locations will provide 
timely warning of faults in those locations. Since the 
data bus is bi-directional, a bi-directional majority 
voting circuit as discussed is used controlled by the 
5 read/write control signals RD, WR from the respec- 
tive microprocessors. 

The majority voting circuit has error output signals 
RE, WE which are asserted when the input from its 
own microprocessor system is different from the 

1 0 other two microprocessor systems. The error signals 
are fed to the respective error counting systems SEL, 
MPE which operates warning and alarm signals at 
appropriate error rates. Each microprocessor system 
therefore monitors its own errors. 

15 In respect of the second problem discussed above, 
this is overcome by using the internal clock gener- 
ators CO of the microprocessors and phase-locking 
them. A varactor diode is connected in series with 
the frequency determining cyrstal of each microp- 

20 rocessor which allows the crystal frequency to be 
pulled by the few-parts per million necessary to 
obtain synchronism. The bias on the varactor is 
derived from a conventional phase-locked loop 
circuit which compares the phase of the clock output 

25 of each microprocessor with a reference clock. The 
reference clock is obtained from the majority of the 
three clock outputs and continues to be available 
even if one clock generator fails completely or runs 
away. The microprocessor system is therefore refer- 

30 red to the clock generator of median phase. The 
controlling clock generator is synchronised to itself 
and the phase-locked loop is provided to be stable In 
this condition. The no clock and clock out-of-lock 
condition are detected and are used to drive a clock 

35 fail indicator CF. 

The above mentioned third problem is related to 
the second in that microprocessor instruction syn- 
chronism is required and is achieved by the use of 
both hardware and software implementation. The 

40 hardware consists of an inerval timer T attached to 
each microprocessor. The output of the timer T 
drives one of the program interrupt inputs of the 
associated microprocessor, via a majority gate. By 
use of the enable/disable signal EN the majority 

45 voting circuits can be made to revert to non-voting 
operation. The microprocessor outputs are arranged 
to assume the non-voting state at power on. The 
software consists of a HALT instruction which is 
inserted in the main loop of the operating system. 

50 The HALT instruction is preceded by intructions to 
set the non-voting state and is followed by instruc- 
tions to set the voting state. 

When the system is first switched on, the microp- 
rocessors MPA, MPB and MPC run asynchronously 

55 through an initalisation sequence until they read the 
HALT instruction whereupon they stop and wait until 
a timer interrupt signal INT occurs. Since the inter- 
rupt signal is obtained from the majority of the three 
timer outputs, it occurs simultaneously in all three 

60 microprocessors, even though the timers were not 
necessarily initiated at the same instant. By the time 
the interrupt has occurred, the phase-locked loop 
will have synchronised and the microprocessors will 
be launched into an interrupt service routine in clock 

65 and instruction synchronism. The service routines 


re-starts the timer and returns control to the instruc- 
tion following the HALT instruction. The microp- 
rocessor will now be in the main loop in synchron- 
ism and with the voting state set. If one microproces- 

70 sor gets a few clock cycles out of step, when the 
other two microprocessors have reached the HALT 
instruction it will be running independantly in the 
non-voting state and has an opportunity to catch up. 
The timer period is chosen so that only a small 

75 proportion of the time is spent in the HALT state. If 
one microprocessor gets a whole instruction cycle 
out of synchronism the correct op-code will be 
forced on the data bus by the majority voting circuit 
during the Instruction fetch phase, and synchronism 

80 will be regained. 

CLAIMS 

1 . A triple redundant microprocessor system 
85 wherein each microprocessor includes a memory 

bus to which Is connected a program memory and a 
data memory which are addressed via an associated 
address bus, each microprocessor also includes a 
data bus which is interconnected to the memory bus 

90 via associated majority voting circuits which are also 
interconnected to the other microprocessor data 
buses and memory buses and which function to 
provide majority voting on the respective microp- 
rocessor data bus and memory bus in response to 

95 the condition of signals present on the data buses 
and memory buses connected thereto, and to sig- 
nals generated by the respective microprocessor. 

2. A triple redundant microprocessor system as 
claimed in claim 1 wherein each microprocessor is 

100 provided with an arrangement for synchronising the 
instructions which the microprocessors have to 
perform, said arrangement includes an interval timer 
associated with each microprocessor which drives, 
via a majority gate, a program interrupt input of the 

105 respective microprocessor, and the signals which 
each microprocessor generates include enable/dis- 
able signals which dictate the vote/non-vote state of 
the majority voting circuits, said enable/disable 
signals being generated by instructions which are 

110 inserted in the main operating loop of the microp- 
rocessor system, said instructions consisting of a 
HALT instruction preceded by an instruction to set 
the non voting state, and followed by an instruction 
to set the voting state, and each microprocessor runs 

115 through a sequence until each performs the HALT 
instruction, whereupon each microprocessor waits 
until a timer interrupt signal occurs which is gener- 
ated by said timers via said majority gate and 
thereby provide instruction synchronism for the 

120 system. 

3. A triple redundant microprocessor system as 
claimed in claim 2 wherein each microprocessor 
includes a frequency clock oscillator which is main- 
tained in synchronism with the other oscillators by a 

125 phase-locked loop arrangement which is used to 
provide a bias voltage for a variable conductive 
semiconductor device connected in series with each 
respective oscillator to permit the majority voting 
circuits to function in synchronism. 

130 4. A triple redundant microprocessor as claimed 
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in claim 3 wherein the variable conductive semicon- 
ductor device is a varactor diode, 

5. A triple redundant microprocessor substan- 
tially as described with reference to the accompany- 
5 ing drawings. 
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